SIEM error unexpected token <in JSON at position 0

Elastic Security SIEM
1

Hi all
I currently have a very anoying problems
Everytime i went to SIEM app, they load for sometime and then the system popup a error unexpected token <in JSON at position 0 like 2 time, one for network error and one are visualization error. both have the json error above, before the error appear i cannot do some stuff on SIEM, it is like it trying to load data for me to work.
After the error appear then i can interact with the system again without any problems, but it still takes some time for that to happen and it is very anoying, Can anybody help me.
btw i have tried to increase timeout up to 10m and the problems still persisted.

Thanks you for your time.

2

Hello @lusynda,

Sorry to hear that. I'd like to understand more about your case. Could you please which page you usually land on SIEM app? Could you please check if you have saved any query? Have you ever imported / created any custom timeline templates or rules to SIEM app or updated Advanced settings? Thanks :slight_smile:

3
  • I usually use detection and network tab.
  • I do have a lots of saved query, and a few custom rule and also i do change a bit in the Advanced settings but i do not thinks that is the problems.
4

Hey @lusynda !

What version of Kibana are you on? Would it be possible for you to list out the exact steps that reliably reproduce what you are seeing? Are you using any custom indexes?

Best,
Yara

5
  • Yes well the whole cluster version are 7.9.0.
  • The step are just how when i usually started to create an rule or change some of them: i went to siem app, click on detection tab, then after a while then the error will appear.
  • most of the indexes iam using are custom indexes.
6

Hi @lusynda, if you have too much data per 24 hour time block that could be causing a lot of timeout issues depending on several factors such as how much data you're ingesting vs how many ES nodes you have.

Under Stack Management -> Advanced Settings you can set your time range to be smaller than the default 24 hours such as 1 hour or 15 minutes. It's default is 24 hours which could be too much data to display all at once if you have a lot of data over a 24 hour time span:

Screen Shot 2020-10-20 at 4.41.51 PM
Screen Shot 2020-10-20 at 4.41.51 PM2508×368 26 KB

I would start there and decrease that number until you can view the pages without errors. A second part to this is for 7.9.1+ we have implemented several perf improvements that might help you out as well if you're on just 7.9.0 I would recommend upgrading to the latest 7.9.2:


7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.